Eric Schmidt has taken to the business pages today to blame Google's heavily criticised Street View Wi-Fi data harvesting operation on the actions of one rogue software coder.
The male Googler in question is now subject to disciplinary proceedings, he told the FT.
That's in spite of the news overnight that the firm applied for …

Page:

One rogue code monkey?

No hardware needed

Streetview vans already, and have always, carried wi-fi identification hardware. They plot AP mac/ssid's along with the lat/long so that google location service users can get a rough position simply by having wi-fi on.

The only new bit of this entire fiasco is traffic fragments from unencrypted AP's being retained without corporate intention to do so

That's nice

This shows Google's extreme two faced duplicity...

@"Make someone a scapegoat, way to go Google"

Its exactly a scapegoat move. It totally defies credibility that just one lone engineer authorized this to be used globally and for years!. Google's management hierarchy are complicit in this action. After all, they want to spy, as its their core business model! ... its just that now they have been caught going to far, so now they are seeking a scapegoat to blame.

Proliferating the problem

<quote>Google will begin handing over the intercepted payload data to German, French, Spanish and Italian regulators within the next two days.</quote>.

What? So the regulators are saying (paraphrased and in translation, obviously) "You shouldn't have collected all that data, but it's ever so interesting, gizza copy, eh?". What the regulators SHOULD be doing is getting cast-iron assurances that the improperly collected data has been expunged, deleted, removed and destroyed, not necessarily in that order.

Re: *nods*

The German government requested the hard-disk drives in order to analyse and determine what exactly was Google collecting. The same is also true, presumably, for the other governments.

Keep in mind that Google did not originally disclosed that they were scanning and tracking SSIDs and MAC addresses, until confronted; and then they actively denied that they were collecting any traffic data at all, until found out. Obviously, the German government did not readily trusted Google when they said "Oh, that! it's just innocent traffic data from non-secured networks, oopsie!" They want to make sure that the data collected was nothing more than this.

Intercept data is evidence

The intercept data is evidence for the various countries' authorities against Google. In each country, they will use it when determining if/when/who goes to court to face criminal proceedings.

No doubt, Google would like to just say the data has been deleted and forget the whole thing - but it might not be that simple. They have been told by some countries that deleting the data may constitute more criminal offences on the part of Google.

You're forgetting something

I'm astonished, nay, disappointed that the Information Commissioner contended himself with a weak slap on the wrist unless the dossier is handed over to the police.

You see, whatever the excuse is really doesn't matter - Google has committed in many countries a criminal offense by recording information that wasn't theirs to access. In the UK this ought to be result in criminal prosecution as well under the Computer Misuse Act.

It cannot be acceptable that some poor schlob gets convicted for using a WiFi network from a pub whereas a mass violation like Google's is left unaddressed.

The gathered information is this evidence - this is also why Google itself had to seek advice. If they had deleted it themselves it could be construed as destroying evidence.

As a slight aside, although the "reason why" doesn't actually matter it ought to be observed that the story keeps changing. In my experience this is symptomatic of executives properly caught with their pants down...

That's not the way it's done

First of all, the regulators are not the prosecution authorities. If criminal (or even civil) proceedings were in the offing, then there would be formal evidence collection *by* the authorities, not Google 'handing it over' at their convenience. My contention is that giving copies to the authorities to pore over is yet another unauthorised disclosure of improperly collected data. I don't necessarily trust French | German | Spanish | [insert_nation] regulators any more than I trust Google.

Don't be evil...

Patented technology?

Err...what's so novel about Wi-Fi data harvesting? All you need to collect SSIDs, MAC Addresses, NAT IPs and what (if any) encyption is being used is a Wi-Fi enabled laptop with a Wi-Fi sniffer program that logs its activities. Add a GPS... and all of that information is effectively in the public domain if you broadcast your SSID, as any Tom, Dick or Harry could pick it up.

The more interesting questions are why did they do it, and what did they plan to do with the data? After all, if you're sensible and use WPA2+PSK with 256-bit encryption or above, they'd find it very difficult to extract anything meaningful from the packets flying across your network.

I suppose it could be used for market research purposes - what proportion of the population use what brand of Wi-Fi router, how many use WEP vs WPA2 vs nothing...

Says more about their coding standards

So there's no code reviews, peer reviews, unit testing or final testing at Google then? In my clients organisation this scenario would be impossible, no code goes into the product without going through at least two levels of code & peer review!

So your the company

that is actually given time to do all those things. Cool. Wish we had the time to do all that stuff.

Please don't assume that just because your client works one way (and a very good way that takes a lot of time), that everyone else does the same.

Look at the 'problem' google were trying to solve - getting SSID's from networks as they whizz past. Not exactly a high security issue there, so no need for the levels of code review you are talking about. . They already had some code that did that, so they reused it, not realizing (or perhaps the guy who reused it did realise, but couldn't be asked to chop out the code) it also grabbed some other fragments of data as well.

I can easily see how this could have been accidental, and Occams seem to show that an accident is more likely that deliberate (because when all is said and done there is no point in recording the extra data being talked about - no profit motive)

no need for code review?

"Not exactly a high security issue there, so no need for the levels of code review you are talking about."

Given that officers and employees of Google in different countries could go to jail, perhaps they should have checked the code before letting the cars wander the streets. It is illegal in some countries (e.g. Germany) to be in possession of such hacking tools unless you are a certified security professional - that's without even using them.

However, cynics may believe that in reality, the code was reviewed and other aspects of change control were applied but Google representatives are being economical with the truth because some of them are frightened of the consequences of authorising such illegal activity.

Run that past me again.

"I can easily see how this could have been accidental, and Occams seem to show that an accident is more likely that deliberate (because when all is said and done there is no point in recording the extra data being talked about - no profit motive)"

Using Ockham's razor here would indicate that if Google was collecting this information, that's what it intended to do.

It's a snooping, intrusive advertising company. What's the profit motive in providing people with free search and e-mail?

Satisfied by a pledge to delete British data "as soon as reasonably possible"

Feak and weeble

What, you want to see a pledge to delete the British data more quickly than is reasonably possible? I think that is, by definition, unreasonable. If, in the alternative, you think that the British data should be preserved and copied to the ICO, and probably to GCHQ and MI5 within seconds after that, you're dimmer than I take you for.

Re: Do you honestly think

Now we know why ...

... Google allows its engineers to spend 20% of their time on their own projects - that way if they have any problems they can just say "it was one engineer coding in his 20% personal project time so its not really our responsibility".

Ay least Schmidt didn't use the Brownian line of "we screwed up, I take full responsibility and the relevant engineer has been fired"

But

More than that

That's the whole point in the fuss.

They INTENTIONALLY collected AP MACs and SSID's

They UNINTENTIONALLY (allegedly) also recorded the payload of the packets - i.e. whatever was being sent over the network at the time - e-mail, files whatever. Though keep in mind they probably only collected a few packets from each network, so won't have got much.

Re: But

No, I believe google captured all packets in raw form as their radio was channel hopping to find channels to intercept. Much as you can using the madwifi driver and a standard atheros WIFI nic under wireshark.

Wireshark by the way decodes wireless 802.11 frames in their entirety just fine, and if you provide the key, it will decode and display decrypted frames as well.

Other projects exist to decrypt packets with weak wep keys in a matter of minutes, however so far nobody's accused google of doing this.

Re: Re: But

This is why the German government has requested the disks, in order to review the actual data collected and determine if there were any other laws broken. They stated this at the start of the investigation.

Yup

Sorry wasn't very clear in what I meant. When I said they also recorded the payload what I meant was;

The aim was

1) Capture Raw Packets

2) Extract AP MAC/SSID info

3) Delete all other info

4) Store remaining info

What they did was 'forget' step 3, so the payload was also written to disk.

Yeah, I did wonder if they may have perhaps tried to decrypt any WEP encrypted. After all, if this truly was a Proof Of Concept accidentally released, it's a function you might include as a curiosity, and so would have gone with the rest of the 'accidentally' released code onto the cars.

Smack the peeping tom.

I always had the impression that capture of data of computer system, without the owners consent was illegal. All those ways of monitoring ATM's (Its public you know). Listening to peoples conversations inside their own house, from the deformations of their windows. Hell being a peeping tom, cause the curtains were open a gap. Delicate little metal containers of resonant dimensions.

Take it to court for capturing SSID's and MAC's. Smack Google down or get a precedent, that really would open up all sorts of privacy invasion/Hacking possibilities

Much as I hate the term

If they did we'd probably hear 'implied consent' cropping up. They could well try to argue that the failure to secure your wireless implied consent for others to use it.

To take an example, you get robbed because you left your front door open - not unlocked, open/ajar. Old Bill will tell you they can do nothing as you 'invited' the crooks in. I've seen it happen.

So, you could apply the same logic here.

I'm not saying it's reasonable or unreasonable just that you COULD.

A/C - at what point did I make any complaint about it. I personally think this is a big fuss about nothing (in this case), the amount of data captured per network must be tiny. Hell they only have 600GB of data despite how widely they've travelled for so long!

What I find more concerning, is that this could easily be distracting us all from something far more insidious happening in the background!

@rob Dobs - Problem with #1

My router collects all packets that it receives, it then reads the header to see if it is for my network, if it is it relays it, if not it gets discarded. (would you like this #1 to be illegal also?)

Oddly enough DSL and Cable routers are also on networks with specific addressess, they also can recieve everything from any device on the same subnet and also use the address to determine relevance.

What you would like to believe is law, is often NOT the case. It is often the case that the law covers usage of said data that is otherwise to what was intended by the technology. ie Receiving for the purpose of identification and routing is intended, storing/saving the data is not.

There is a reference to the recent widely reported court ruling in Italy which convicted three Google executives of criminal wrongdoing after YouTube showed footage of a disabled boy being bullied by classmates.

Schmidt says "“The judge was flat wrong. So let’s pick at random three people and shoot them. It’s bullshit. It offends me and it offends the company."

This is not me quoting the article out of context, this is Schmidt apparently unable/unwilling to understand that senior managers are paid a lot of money and the reason they are paid a lot of money is that they are supposed to be legally responsible for what their organisations get up to, whether that is making money or making trouble.

(References to random shootings don't seem real helpful either especially this week but I guess they're relatively routine in the USA?)

The man is sick.

"why did they do it, and what did they plan to do with the data? "

Excellent question. Obviously they intended to "monetise" it, that's what they do, but the details are as yet unclear.

Indeed it is, though not for the reasons you posted.

The Italian judge was "flat wrong", if I post a letter to you and all of your friends ridiculing you and recalling some time I observed people assaulting you, who is to blame for the resulting harm? Is it the Post Office, is it the CEO of the company running the Post office? Or is it perhaps me?

Google deserve to be smacked for the data packets they retained. But we must not conflate that with the legitimate actions of scanning the MAC/SSID/signal strength of local AP's for location data which streetview vans will/should continue to do.

Agreed

The Italian Judge was out of his head to make such a decision.

With regards to the current issue, the problem is many commentards don't seem to be able to absorb that the recording of payloads was accidental - the MAC/SSID was deliberate. Which is why we keep having to read comments asking how you can accidentally fit WiFi kit to the car!!!

Gets quite annoying after a while

People tell me that I'm intolerant, but it's not my fault that they are f*ckin morons!

@Andy Enderby 1

You're saying Google pattented sniffing and storing private data? LOL. The technology is all about mapping AP locations for use in location services.

So maybe repeating it one more time will get it into your paranoid brain (I fear not, but anyway): Google was capturing network IDs (names, MAC addresses) to map on GPS coordinates, so that your wifi enabled phone can use the available networks as an indication where you are.

They never wanted the data on the networks. What would they do with it anyway.?

OK, now go out and never go near a computer again. It's too difficult for you to grasp.

No Title

This is what I don't entirely understand about the fuss, given the range of a network and the speed of the cars, they would only have captured a few frames.

Add to that the fact that;

- The networks were probably open (see my earlier comment about WEP)

- Stuff like Internet Banking should be conducted using SSL anyway

- Connections to POP/SMTP servers usually take place of SSL/TLS (there are exceptions)

There aint likely to be a lot of interest to the big G in those frames? Part of a netbios session? Perhaps a client syncing their clock with NTP?

Yes it was wrong, but it was (allegedly) a mistake (in this case, I actually believe them), but it's hardly a major privacy invasion. If your network was picked up by Google, then you'll probably find your neighbour has a far better chance to infringe your privacy than this gave Google

@petur

>> "They never wanted the data on the networks. What would they do with it anyway.?"

Oh, so you must work for Google to know this as a fact, right? Or perhaps you are the judge presiding the cases brought against the company and have already reviewed all the evidence to determine this?

I do not claim that Google was doing anything wrong, or even that they captured the data knowingly and intentionally. However, I do not have the full set of evidence on either side of the arguments, so I cannot, in good conscience, make an accurate judgement at this time.

That said, it seem perfectly reasonable that the data was being captured in order to analyse their timing patterns and determine physical location in relation to the Street View car (as the patent states), and that the data was kept inadvertently, mistakenly, past its useful purpose.

At the same time, it seems also perfectly reasonable that a large American corporation with a history of stretching the acceptable boundaries of privacy, and a penchant for capturing as much information as possible in order to monetize it or to grow their advertising business, could conceivably decide to store this transient data with the hope of extracting some value from it, at some time.

Both are allegations, and both--to me--are reasonable.

My guess is that this is what the German government is attempting to determine, and I shall wait until all evidence is in before defending or condemning Google.

Hey , Google Apologist

In your hurry to defend your favourite adbroker, you sure picked the wrong person to address your ranting to. Take a good dose of valium and stay away from your computer for the next week or so.

Next step: go read the patent application linked to in http://www.theregister.co.uk/2010/06/03/google_wardriving_patent/ , and tell us where it explicitely says that they *WON'T* retain and/or analyse packet data beyond SSID and MAC

New Google Job Offerings

@petur "Stop spreading FUD"

...along with 600GB of payload data, as Google themselves have admitted, after the German regulator caught them.

If they just wanted the SSIDs, they would have used a capture filter for the related packet types. The MAC addresses could be obtained from any packets. There is no reason to capture everything, particularly given the questionable legality of sniffing on WLANs where the SSID has been set to "hidden".

Re: Destructed Data

I thought that all the data was put onto a few hard drives and destroyed in front of auditors? Apparently, this was only England's data? So, only 600GB recorded IN ENGLAND? Or was that the WHOLE OF THE BRITISH ISLES?

If it was, in fact, the ONLY COPY of ALL THE DATA collected by Google, how could there be any data to deliver to other countries?